Web lists-archives.com

Re: [Samba] freeradius + NTLM + samba AD 4.5.x




Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs:

|mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool).

So that is is I suppose that special "flag" that is used by Microsoft NPS/AD. I t h i n k I tested it before, but couldn't get it to work and had to go back to "ntlmv1-permitted".

I'll test it out later today and give some feedback if needed.

Regards,

Kacper Wirski
||


W dniu 26.03.2018 o 14:37, Rowland Penny via samba pisze:
On Mon, 26 Mar 2018 14:06:24 +0200
"Dr. Peer-Joachim Koch via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

we have updated our samba AD domain from 4.4.x to 4.5.x.

The release notes for 4.5.0 included  "NTLMv1 authentication disabled
by default".

So we had to enable it to get our radius (freeradius) server working
(for 802.1x).

You would probably be better off asking freeradius.

What would be the best way to change the freeradius configuration in
such a way,

that we can disable NTLMv1 again.

The radius server is used for WLAN (802.1x) and for VPN.

How insecure is NTLMv1 ?

Have you ever heard of 'wannacry' ? or to put it another way 'VERY
insecure'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba